topic Looks like there is in Network Security

Issue passing traffic between two internal subnets

James Dykes — Tue, 12 Mar 2019 06:12:42 GMT

I have an ASA 5500 running 8.2(4). There is a static route inside for the 192.168.0.0/24 network to go to 192.168.133.1, which is another router on the firewall's inside network that leads back to their office.

I try pinging from a host in the 192.168.133 network to the 192.168.0 network, and the packet is dropped. A packet-tracer command gives the following output:

4344-FWL001(config)# packet-tracer input inside icmp 192.168.133.100 0 8 192.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit icmp any any echo-reply
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc979d518, priority=12, domain=permit, deny=false
        hits=9224348, user_data=0xc7959a20, cs_id=0x0, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca36a9a0, priority=7, domain=conn-set, deny=false
        hits=172443571, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=385629755, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0b70, priority=66, domain=inspect-icmp-error, deny=false
        hits=14153115, user_data=0xc96e0a58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139551, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97697f0, priority=1, domain=nat, deny=false
        hits=139932, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I then try to add the network to the no nat group:

access-list inside_nat0_outbound extended permit ip 192.168.133.0 255.255.255.0 192.168.0.0 255.255.255.0

And the packet-tracer fails on a later step:

4344-FWL001(config)#packet-tracer input inside icmp 192.168.133.100 0 8 192.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit icmp any any echo-reply
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc979d518, priority=12, domain=permit, deny=false
        hits=9224458, user_data=0xc7959a20, cs_id=0x0, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca36a9a0, priority=7, domain=conn-set, deny=false
        hits=172445451, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=385632692, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0b70, priority=66, domain=inspect-icmp-error, deny=false
        hits=14153257, user_data=0xc96e0a58, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.133.0 255.255.255.0 inside 192.168.0.0 255.255.255.0
    NAT exempt
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc6b95be8, priority=6, domain=nat-exempt, deny=false
        hits=1, user_data=0xc9d1d7a8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.133.0, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139551, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97697f0, priority=1, domain=nat, deny=false
        hits=139933, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139551, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9769b48, priority=1, domain=host, deny=false
        hits=16003947, user_data=0xc9769730, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139551, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc97699a0, priority=1, domain=nat-reverse, deny=false
        hits=28, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

What am I missing to get this traffic through the ACLs?

Both networks reside on the

Puneesh Chhabra — Fri, 03 Jul 2015 18:12:24 GMT

Both networks reside on the inside, why would traffic traverse through the firewall ?

I did not architect their

James Dykes — Fri, 03 Jul 2015 19:41:28 GMT

I did not architect their network. Their servers at our location use the firewall as their gateway, and their office connected through a point to point line uses a separate router as its gateway, then traffic to that network from the servers here is supposed to be routed via the firewall to the router.

Can you post a diagram ?

Puneesh Chhabra — Sun, 05 Jul 2015 01:59:16 GMT

Can you post a diagram ?

Hi,

Vibhor Amrodia — Sun, 05 Jul 2015 04:15:59 GMT

Hi,

Actually , you need this configuration to make the communication between the ASA (192.168.133.0/24) to (192.168.0.0/24).

global (inside) 1 interface

static (inside,inside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

Thanks and Regards,

Vibhor Amrodia

I made some changes after

James Dykes — Mon, 06 Jul 2015 17:17:43 GMT

I made some changes after creating this thread. I added both networks to the inside no-nat group and added ACLs. Updated configuration is attached.

The customer is reporting pings are working, but RDP/SQL traffic is not. It looks like the firewall is trying to NAT the traffic to a different network. The packet-tracer output is below.

4344-FWL001# packet-tracer input inside tcp 192.168.133.210 3389 192.168.0.68 $

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit ip 192.168.133.0 255.255.255.0 192.168.0.0 255.255.255.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca8e5540, priority=12, domain=permit, deny=false
        hits=492, user_data=0xc7955c90, cs_id=0x0, flags=0x0, protocol=0
        src ip=192.168.133.0, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca36a9a0, priority=7, domain=conn-set, deny=false
        hits=173249113, user_data=0xca37fb78, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=386801563, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.133.0 255.255.255.0 inside 192.168.0.0 255.255.255.0
    NAT exempt
    translate_hits = 576, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca0671d8, priority=6, domain=nat-exempt, deny=false
        hits=576, user_data=0xc9d1de38, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.133.0, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 6
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
match ip inside 192.168.0.0 255.255.255.0 inside 192.168.133.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 574
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9d5e870, priority=6, domain=nat-exempt-reverse, deny=false
        hits=576, user_data=0xc9d5e1d8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip=192.168.133.0, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139552, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc97697f0, priority=1, domain=nat, deny=false
        hits=140512, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139552, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9769b48, priority=1, domain=host, deny=false
        hits=16028284, user_data=0xc9769730, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 139552, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc97699a0, priority=1, domain=nat-reverse, deny=false
        hits=606, user_data=0xc9769730, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 172.16.0.0 access-list vpn_nat
match ip inside 192.168.0.0 255.255.255.0 outside 10.1.7.0 255.255.255.0
    static translation to 172.16.0.0
    translate_hits = 114129674, untranslate_hits = 1964376
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xca3691d8, priority=5, domain=host, deny=false
        hits=194675064, user_data=0xca5562e0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.0.0, mask=255.255.255.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc96e0ef8, priority=0, domain=inspect-ip-options, deny=true
        hits=386801565, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 410248530, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

And entries from the logs:

Jul 2 18:21:35 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/63744 to 192.168.0.112/139 flags RST on interface inside
Jul 2 18:21:41 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside
Jul 2 18:21:43 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59611 flags RST on interface inside
Jul 2 18:21:44 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside
Jul 2 18:21:50 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags SYN ACK on interface inside
Jul 2 18:22:00 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside
Jul 2 18:22:02 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59619 flags RST on interface inside
Jul 2 18:22:03 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside
Jul 2 18:22:09 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags SYN ACK on interface inside
Jul 2 18:22:19 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59640 flags SYN ACK on interface inside
Jul 2 18:22:21 216.211.133.59 %ASA-6-106015: Deny TCP (no connection) from 192.168.133.210/3389 to 192.168.0.68/59636 flags RST on interface inside

Looks like there is

Puneesh Chhabra — Tue, 07 Jul 2015 15:57:51 GMT

Looks like there is asymmetric routing, can you try using TCP state bypass for the above mentioned traffic, here is the document for your reference:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111986-asa-tcp-bypass-00.html

Regards,

Puneesh

This is a crude

robert.jacques — Tue, 07 Jul 2015 22:55:21 GMT

This is a crude representation but hopefully you get the idea.

What is the default gateway

Puneesh Chhabra — Wed, 08 Jul 2015 01:13:48 GMT

What is the default gateway set on 192.168.133.0 machines ?

192.168.133.59Currently some

robert.jacques — Thu, 09 Jul 2015 22:58:21 GMT

192.168.133.59

Currently some machines just have a persistent route that directs 192.168.0.0/24 traffic to 192.168.133.1